AccessChk is a console utility for searching for objects—such as files, registry keys, and services—that grant permissions to specific users or groups, as well as providing detailed information on permissions granted.

AccessEnum is a GUI utility
that searches a file or registry hierarchy and identifies where
permissions might have been changed.

ShareEnum is a GUI utility
that enumerates file and printer shares on your network and who can
access them.

ShellRunAs is a shell
extension that restores the ability to run a program under a
different user account on Windows Vista.

Autologon is a GUI utility
that lets you configure a user account for automatic logon when the
system boots.

LogonSessions is a console
utility that enumerates active Local Security Authority (LSA) logon
sessions on the current computer.

SDelete is a console
utility for securely deleting files or folder structures and erasing
data in unallocated areas of the hard drive.

SigCheck

SigCheck is a multipurpose console utility for performing
security-related functions on one or more files or a folder hierarchy.
Its primary purpose is to verify whether files are digitally signed
with a trusted certificate. As Figure 8-1 shows, SigCheck
can also report catalog and image signer information, calculate file
hashes using several hash algorithms, and display extended version
information. It can also display a file’s embedded manifest, scan
folders for unsigned files, and report results in comma-separated
value (CSV) format.

Figure 8-1 Output from sigcheck –a –i –h c:\windows\explorer.exe.

A digital signature associated with a file helps to
ensure the file’s authenticity and integrity. A verified signature
demonstrates that the file came from the owner of the code-signing
certificate and that the file has not been modified since its signing.
The assurance provided by a code-signing certificate depends largely
on the diligence of the certification authority (CA) that issued the
certificate to authenticate the proposed owner, on the diligence of
the certificate owner to protect the certificate’s private key from
disclosure, and on the verifying system not allowing the installation
of rogue root CA certificates.

As part of the cost of doing business and providing assurance to
customers, most legitimate software publishers will purchase a
code-signing certificate from a legitimate CA, such as VeriSign or
Thawte, and sign the files they distribute to customer computers. The
lack of a valid signature on an executable file that purports to be
from a legitimate publisher is reason for suspicion.

NOTE

In the past, malware was rarely signed. As the sophistication
of malware publishers has increased, however, even this is no longer
a guarantee. Some malware publishers are now setting up front
organizations and purchasing code-signing certificates from
legitimate CAs. Others are stealing poorly-protected private keys
from legitimate businesses and using those keys to sign
malware.

SigCheck’s command-line parameters provide numerous options for
performing verifications, specifying the files to scan, and formatting
output. The syntax is shown here, followed by Table 8-1, which provides a summary of the parameters:

Table 8-1 SigCheck Command-Line Parameters

Specifies the file or directory to process. It can include wildcard characters.

Signature Verification

–i

Shows the catalog name and image signers.

–r

Checks for certificate revocation.

–u

Reports unsigned files only, including files that have invalid signatures.

–c

Looks for a signature in the specified catalog file.

Which Files to Scan

–e

Scans executable files only. (It looks at the file headers, not the extension, to determine whether a file is an executable.)

–s

Recurses subdirectories.

Additional File Information

–a

Shows extended version information.

–h

Shows file hashes.

–m

Shows the manifest.

–n

Shows the file version number only.

Output Format

–v

CSV output (not compatible with –i or –m).

–q

Quiet (suppresses the banner).

The target parameter is the
only required one. It can specify a single file, such as explorer.exe;
it can specify multiple files using a wildcard, such as *.dll; or it
can specify a folder, using relative or absolute paths. If you specify
a folder, SigCheck scans every file in the folder. The following
command scans every file in the current folder:

sigcheck .

Signature Verification

Without further parameters, SigCheck reports the following for each file scanned:

Verified If the file has been signed with a code-signing
certificate that derives from a root certification authority
that is trusted on the current computer, and the file has not
been modified since its signing, this field reports Signed. If
it has not been signed, this field reports Unsigned. If it has
been signed but there are problems with the signature, those
problems are noted. Problems can include the following: the
signing certificate was outside its validity period at the
time of the signing; the root authority is not trusted (which
can happen with a self-signed certificate, for example); the
file has been modified since signing.

Signing date Shows the date on which the file was signed. This field shows n/a if the file has not been signed.

Publisher The Company Name field from the file’s version resource, if found.

Description The Description field from the file’s version resource, if found.

Product The Product Name field from the file’s version resource, if found.

Version The Product Version field from the file’s version resource, if found. Note that this is from the string portion of the version resource, not the binary value that is used for version comparison.

File version The File Version field from the file’s version resource, if found. Note that this, too, is from the string portion of the version resource.

To show additional signature details, add –i to the command line. Using this
parameter shows the following two additional fields if the file’s
signature is valid:

Catalog Reports the file in which the signature is stored. In
many cases, the file indicated will be the same as the file
that was signed. However, if the file was
catalog-signed, the signature will be
stored in a separate, signed catalog file. Many files that
ship with Windows are catalog-signed. Catalog-signing can
improve performance in some cases, but it’s particularly
useful for signing nonexecutable files that have a file format
that does not support embedding signature information.

Signers Shows the Subject CN name from the code-signing
certificate and from the CA certificates in its chain.

By default, SigCheck does not check whether the signing
certificate has been revoked by its issuer. To verify that the
signing certificate and the certificates in its chain have not been
revoked, add –r to the command
line. Note that revocation checking can add significant network
latency to the signature check, because SigCheck has to query
certificate revocation list (CRL) distribution points.

To focus your search only for unsigned files, add –u to the command line. SigCheck then scans
all specified files, but it reports only those that are not signed
or that have signatures that cannot be verified.

Windows maintains a database of signature catalogs to enable
quick lookup of signature information based on a file hash. If you
want to verify a file against a catalog file that is not registered
in the database, specify the catalog file on the SigCheck command
line with the –c option.

Which Files to Scan

Most nonexecutable files are not digitally signed with
code-signing certificates. Some nonexecutable files that ship with
Windows and that are never modified might be catalog-signed, but data files that can be
updated—including initialization files, registry hive backing files,
document files, and temporary files—are never code-signed. If you
scan a folder that contains a large number of such files, you might
have difficulty finding the unsigned executable files that are
usually of greater interest. To filter out these false
positives, you could search just for
*.exe, then *.dll, then
*.ocx, then *.scr, and so
on. The problem with that approach isn’t all the extra work or that
you might miss an important extension. The problem is that an
executable file with a .tmp extension, or any other extension, or
no extension at all can still be launched! And
malware authors often hide their files from inspection by
masquerading under apparently innocuous file extensions.

So instead of filtering on file extensions, add –e to the SigCheck command line to scan
only executable files. When you do, SigCheck will verify whether the
file is an executable before verifying its signature and ignore the
file if it’s not. Specifically, SigCheck checks whether the first
two bytes are MZ. All 16-bit, 32-bit, and
64-bit Windows executables—including applications, DLLs, and system
drivers—begin with these bytes. SigCheck ignores the file extension,
so executables masquerading under other file extensions still get
scanned.

To search a folder hierarchy instead of a single folder, add
–s to the SigCheck command line.
SigCheck then scans files matching the target
parameter in the folder specified by target
parameter (or in the current folder if target
doesn’t specify a folder) and in all subfolders. The following
command scans all *.dll files in and under the C:\Program Files
folder:

sigcheck -s "c:\program files\*.dll"

Additional File Information

Add the –a option to
extract additional information from every file scanned. Adding
–a augments the SigCheck output
with these fields:

Strong Name If the file is a .NET assembly and has a strong-name
signature, this field reports Signed; otherwise, it shows
Unsigned. (.NET’s strong-name signing is
independent of certificate-based code-signing and does not
imply any level of trust.

Original Name The Original Name field from the file’s version resource, if found.

Internal Name The Internal Name field from the file’s version resource, if found.

Copyright The Copyright field from the file’s version resource, if found.

Comments The Comments field from the file’s version resource, if found.

A hash is a statistically unique value generated from a block
of data using a cryptographic algorithm, such that a small change in
the data results in a completely different hash. Because a good hash
algorithm makes it computationally infeasible using today’s
technology to modify the data without modifying the hash, hashes can
be used to detect changes to data from corruption or tampering. If
you add the –h option, SigCheck
calculates and displays hashes for the files it scans, using the MD5,
SHA1 and SHA256 algorithms. These hashes can be compared to hashes
calculated on a known-good system to verify file integrity. Hashes
are useful for files that are unsigned, but that have known master
versions. Also, some file-verification systems rely on hashes
instead of signatures.

Application manifests are XML documents that can be embedded
in application files. They were first introduced in Windows XP to
enable the declaration of required side-by-side assemblies. Windows
Vista and Windows 7 each extended the manifest file schema to enable
an application to declare its compatibility with Windows versions
and whether it requires administrative rights to run. The presence
of a Windows Vista-compatible manifest also disables file and
registry virtualization for the process. To dump a file’s embedded
manifest, add –m to the SigCheck
command line. Here is the output from SigCheck reporting its own
manifest:

To output only the file’s version number,
add –n to the SigCheck command
line. SigCheck displays only the value of the File Version field in
the file’s version resource, if found, and it displays
n/a otherwise. This option can be useful in
batch files, and it’s best used when specifying a single target
file.

Command-line options, of course, can be combined. For example,
the following command searches the system32 folder hierarchy for
unsigned executable files, displaying hashes and detailed version
information for those files:

sigcheck -u -s -e -a -h c:\windows\system32

Output Format

SigCheck normally displays its output as a formatted
list, as shown in Figure 8-1. To report
output as comma-separated values (CSVs) to enable import into a
spreadsheet or database, add –v
to the SigCheck command line. SigCheck outputs column headers
according to the file information you requested through other
command-line options, followed by a line of comma-separated values
for each file scanned. Note that the –v option cannot be used with the –i or –m
option.

You can suppress the display of the SigCheck banner with the
–q option. Removing these lines
can help with batch-file processing of SigCheck output as well as
with CSV output.